diff --git a/ChangeLog b/ChangeLog index 0d6221bb18..027edccdf5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,42 @@ +Changes in version 0.2.3.25 - 2012-11-19 + The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi" + Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher, + Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer, + programmer, and friend. Unstinting in his dedication to the cause of + freedom, he inspired and helped many of us as we began our work on + anonymity, and inspires us still. Please honor his memory by writing + software to protect people's freedoms, and by helping others to do so. + + Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features + significantly reduced directory overhead (via microdescriptors), + enormous crypto performance improvements for fast relays on new + enough hardware, a new v3 TLS handshake protocol that can better + resist fingerprinting, support for protocol obfuscation plugins (aka + pluggable transports), better scalability for hidden services, IPv6 + support for bridges, performance improvements like allowing clients + to skip the first round-trip on the circuit ("optimistic data") and + refilling token buckets more often, a new "stream isolation" design + to isolate different applications on different circuits, and many + stability, security, and privacy fixes. + + o Major bugfixes: + - Tor tries to wipe potentially sensitive data after using it, so + that if some subsequent security failure exposes Tor's memory, + the damage will be limited. But we had a bug where the compiler + was eliminating these wipe operations when it decided that the + memory was no longer visible to a (correctly running) program, + hence defeating our attempt at defense in depth. We fix that + by using OpenSSL's OPENSSL_cleanse() operation, which a compiler + is unlikely to optimize away. Future versions of Tor may use + a less ridiculously heavy approach for this. Fixes bug 7352. + Reported in an article by Andrey Karpov. + + o Minor bugfixes: + - Fix a harmless bug when opting against publishing a relay descriptor + because DisableNetwork is set. Fixes bug 7464; bugfix on + 0.2.3.9-alpha. + + Changes in version 0.2.4.6-alpha - 2012-11-13 Tor 0.2.4.6-alpha fixes an assert bug that has been plaguing relays, makes our defense-in-depth memory wiping more reliable, and begins to diff --git a/ReleaseNotes b/ReleaseNotes index 9e02374bac..d68eca99eb 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -3,6 +3,1093 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.3.25 - 2012-11-19 + The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi" + Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher, + Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer, + programmer, and friend. Unstinting in his dedication to the cause of + freedom, he inspired and helped many of us as we began our work on + anonymity, and inspires us still. Please honor his memory by writing + software to protect people's freedoms, and by helping others to do so. + + Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features + significantly reduced directory overhead (via microdescriptors), + enormous crypto performance improvements for fast relays on new + enough hardware, a new v3 TLS handshake protocol that can better + resist fingerprinting, support for protocol obfuscation plugins (aka + pluggable transports), better scalability for hidden services, IPv6 + support for bridges, performance improvements like allowing clients + to skip the first round-trip on the circuit ("optimistic data") and + refilling token buckets more often, a new "stream isolation" design + to isolate different applications on different circuits, and many + stability, security, and privacy fixes. + + Major features (v3 directory protocol): + - Clients now use microdescriptors instead of regular descriptors + to build circuits. Microdescriptors are authority-generated + summaries of regular descriptors' contents, designed to change very + rarely (see proposal 158 for details). This feature is designed + to save bandwidth, especially for clients on slow internet + connections. Use "UseMicrodescriptors 0" to disable it. + - Caches now download, cache, and serve microdescriptors, as well + as multiple "flavors" of the consensus, including a flavor that + describes microdescriptors. + + o Major features (build hardening): + - Enable gcc and ld hardening by default. Resolves ticket 5210. + + o Major features (relay scaling): + - When built to use OpenSSL 1.0.1, and built for an x86 or x86_64 + instruction set, take advantage of OpenSSL's AESNI, bitsliced, or + vectorized AES implementations as appropriate. These can be much, + much faster than other AES implementations. + - When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode + implementation. It makes AES_CTR about 7% faster than our old one + (which was about 10% faster than the one OpenSSL used to provide). + Resolves ticket 4526. + - Use OpenSSL's EVP interface for AES encryption, so that all AES + operations can use hardware acceleration (if present). Resolves + ticket 4442. + - Unconditionally use OpenSSL's AES implementation instead of our + old built-in one. OpenSSL's AES has been better for a while, and + relatively few servers should still be on any version of OpenSSL + that doesn't have good optimized assembly AES. + + o Major features (blocking resistance): + - Update TLS cipher list to match Firefox 8 and later. Resolves + ticket 4744. + - Remove support for clients falsely claiming to support standard + ciphersuites that they can actually provide. As of modern OpenSSL + versions, it's not necessary to fake any standard ciphersuite, + and doing so prevents us from using better ciphersuites in the + future, since servers can't know whether an advertised ciphersuite + is really supported or not. Some hosts -- notably, ones with very + old versions of OpenSSL or where OpenSSL has been built with ECC + disabled -- will stand out because of this change; TBB users should + not be affected. Implements the client side of proposal 198. + - Implement a new handshake protocol (v3) for authenticating Tors to + each other over TLS. It should be more resistant to fingerprinting + than previous protocols, and should require less TLS hacking for + future Tor implementations. Implements proposal 176. + - Allow variable-length padding cells, to disguise the length of + Tor's TLS records. Implements part of proposal 184. + - While we're trying to bootstrap, record how many TLS connections + fail in each state, and report which states saw the most failures + in response to any bootstrap failures. This feature may speed up + diagnosis of censorship events. Implements ticket 3116. + + o Major features (pluggable transports): + - Clients and bridges can now be configured to use a separate + "transport" proxy. This approach makes the censorship arms race + easier by allowing bridges to use protocol obfuscation plugins. + Implements proposal 180 (tickets 2841 and 3472). + + o Major features (DoS resistance): + - Now that Tor 0.2.0.x is completely deprecated, enable the final + part of "Proposal 110: Avoiding infinite length circuits" by + refusing all circuit-extend requests that do not use a relay_early + cell. This change helps Tor resist a class of denial-of-service + attacks by limiting the maximum circuit length. + - Tear down the circuit if we get an unexpected SENDME cell. Clients + could use this trick to make their circuits receive cells faster + than our flow control would have allowed, or to gum up the network, + or possibly to do targeted memory denial-of-service attacks on + entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- + from July 2002, before the release of Tor 0.0.0. + + o Major features (hidden services): + - Adjust the number of introduction points that a hidden service + will try to maintain based on how long its introduction points + remain in use and how many introductions they handle. Fixes + part of bug 3825. + - Add a "tor2web mode" for clients that want to connect to hidden + services non-anonymously (and possibly more quickly). As a safety + measure to try to keep users from turning this on without knowing + what they are doing, tor2web mode must be explicitly enabled at + compile time, and a copy of Tor compiled to run in tor2web mode + cannot be used as a normal Tor client. Implements feature 2553. + + o Major features (IPv6): + - Clients can now connect to private bridges over IPv6. Bridges + still need at least one IPv4 address in order to connect to + other relays. Note that we don't yet handle the case where the + user has two bridge lines for the same bridge (one IPv4, one + IPv6). Implements parts of proposal 186. + + o Major features (directory authorities): + - Use a more secure consensus parameter voting algorithm. Now at + least three directory authorities or a majority of them must + vote on a given parameter before it will be included in the + consensus. Implements proposal 178. + - Remove the artificially low cutoff of 20KB to guarantee the Fast + flag. In the past few years the average relay speed has picked + up, and while the "top 7/8 of the network get the Fast flag" and + "all relays with 20KB or more of capacity get the Fast flag" rules + used to have the same result, now the top 7/8 of the network has + a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489. + + o Major features (performance): + - Exit nodes now accept and queue data on not-yet-connected streams. + Previously, the client wasn't allowed to send data until the + stream was connected, which slowed down all connections. This + change will enable clients to perform a "fast-start" on streams + and send data without having to wait for a confirmation that the + stream has opened. Patch from Ian Goldberg; implements the server + side of Proposal 174. + - When using an exit relay running 0.2.3.x, clients can now + "optimistically" send data before the exit relay reports that + the stream has opened. This saves a round trip when starting + connections where the client speaks first (such as web browsing). + This behavior is controlled by a consensus parameter (currently + disabled). To turn it on or off manually, use the "OptimisticData" + torrc option. Implements proposal 181; code by Ian Goldberg. + - Add a new TokenBucketRefillInterval option to refill token buckets + more frequently than once per second. This should improve network + performance, alleviate queueing problems, and make traffic less + bursty. Implements proposal 183; closes ticket 3630. Design by + Florian Tschorsch and Björn Scheuermann; implementation by + Florian Tschorsch. + - Raise the threshold of server descriptors needed (75%) and exit + server descriptors needed (50%) before we will declare ourselves + bootstrapped. This will make clients start building circuits a + little later, but makes the initially constructed circuits less + skewed and less in conflict with further directory fetches. Fixes + ticket 3196. + + o Major features (relays): + - Relays now try regenerating and uploading their descriptor more + frequently if they are not listed in the consensus, or if the + version of their descriptor listed in the consensus is too + old. This fix should prevent situations where a server declines + to re-publish itself because it has done so too recently, even + though the authorities decided not to list its recent-enough + descriptor. Fix for bug 3327. + + o Major features (stream isolation): + - You can now configure Tor so that streams from different + applications are isolated on different circuits, to prevent an + attacker who sees your streams as they leave an exit node from + linking your sessions to one another. To do this, choose some way + to distinguish the applications: have them connect to different + SocksPorts, or have one of them use SOCKS4 while the other uses + SOCKS5, or have them pass different authentication strings to the + SOCKS proxy. Then, use the new SocksPort syntax to configure the + degree of isolation you need. This implements Proposal 171. + - There's a new syntax for specifying multiple client ports (such as + SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare + multiple *Port entries with full addr:port syntax on each. + The old *ListenAddress format is still supported, but you can't + mix it with the new *Port syntax. + + o Major features (bufferevents): + - Tor can now optionally build with the "bufferevents" buffered IO + backend provided by Libevent 2. To use this feature, make sure you + have the latest possible version of Libevent, and pass the + --enable-bufferevents flag to configure when building Tor from + source. This feature will make our networking code more flexible, + let us stack layers on each other, and let us use more efficient + zero-copy transports where available. + - Add experimental support for running on Windows with IOCP and no + kernel-space socket buffers. This feature is controlled by a new + "UserspaceIOCPBuffers" config option (off by default), which has + no effect unless Tor has been built with bufferevents enabled, + you're running on Windows, and you've set "DisableIOCP 0". In the + long run, this may help solve or mitigate bug 98. + + o Major features (path selection): + - The EntryNodes option can now include country codes like {de} or IP + addresses or network masks. Previously we had disallowed these + options because we didn't have an efficient way to keep the list up + to date. Addresses ticket 1982, but see bug 2798 for an unresolved + issue here. + + o Major features (port forwarding): + - Add support for automatic port mapping on the many home routers + that support NAT-PMP or UPnP. To build the support code, you'll + need to have the libnatpnp library and/or the libminiupnpc library, + and you'll need to enable the feature specifically by passing + "--enable-upnp" and/or "--enable-natpnp" to ./configure. To turn + it on, use the new PortForwarding option. + + o Major features (logging): + - Add a new 'Heartbeat' log message type to periodically log a message + describing Tor's status at level Notice. This feature is meant for + operators who log at notice, and want to make sure that their Tor + server is still working. Implementation by George Kadianakis. + - Make logging resolution configurable with a new LogTimeGranularity + option, and change the default from 1 millisecond to 1 second. + Implements enhancement 1668. + + o Major features (other): + - New "DisableNetwork" config option to prevent Tor from launching any + connections or accepting any connections except on a control port. + Bundles and controllers can set this option before letting Tor talk + to the rest of the network, for example to prevent any connections + to a non-bridge address. Packages like Orbot can also use this + option to instruct Tor to save power when the network is off. + - Try to use system facilities for enumerating local interface + addresses, before falling back to our old approach (which was + binding a UDP socket, and calling getsockname() on it). That + approach was scaring OS X users whose draconian firewall + software warned about binding to UDP sockets regardless of + whether packets were sent. Now we try to use getifaddrs(), + SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the + system supports. Resolves ticket 1827. + - Add experimental support for a "defaults" torrc file to be parsed + before the regular torrc. Torrc options override the defaults file's + options in the same way that the command line overrides the torrc. + The SAVECONF controller command saves only those options which + differ between the current configuration and the defaults file. HUP + reloads both files. Implements task 4552. + + o New directory authorities: + - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory + authority. Closes ticket 5749. + + o Security/privacy fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. Fixes bug 6480; + bugfix on 0.2.0.1-alpha. + - Reject any attempt to extend to an internal address. Without + this fix, a router could be used to probe addresses on an internal + network to see whether they were accepting connections. Fixes bug + 6710; bugfix on 0.0.8pre1. + - Close any connection that sends unrecognized junk before the TLS + handshake. Solves an issue noted in bug 4369. + - The advertised platform of a relay now includes only its operating + system's name (e.g., "Linux", "Darwin", "Windows 7"), and not + its service pack level (for Windows) or its CPU architecture + (for Unix). Also drop the "git-XYZ" tag in the version. Packagers + can insert an extra string in the platform line by setting the + preprocessor variable TOR_BUILD_TAG. Resolves bug 2988. + - Disable TLS session tickets. OpenSSL's implementation was giving + our TLS session keys the lifetime of our TLS context objects, when + perfect forward secrecy would want us to discard anything that + could decrypt a link connection as soon as the link connection + was closed. Fixes bug 7139; bugfix on all versions of Tor linked + against OpenSSL 1.0.0 or later. Found by Florent Daignière. + - Tor tries to wipe potentially sensitive data after using it, so + that if some subsequent security failure exposes Tor's memory, + the damage will be limited. But we had a bug where the compiler + was eliminating these wipe operations when it decided that the + memory was no longer visible to a (correctly running) program, + hence defeating our attempt at defense in depth. We fix that + by using OpenSSL's OPENSSL_cleanse() operation, which a compiler + is unlikely to optimize away. Future versions of Tor may use + a less ridiculously heavy approach for this. Fixes bug 7352. + Reported in an article by Andrey Karpov. + + o Major bugfixes (crashes and asserts): + - Avoid a pair of double-free and use-after-mark bugs that can + occur with certain timings in canceled and re-received DNS + requests. Fixes bug 6472; bugfix on 0.0.7rc1. + - Fix a denial of service attack by which any directory authority + could crash all the others, or by which a single v2 directory + authority could crash everybody downloading v2 directory + information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. + - Fix an assert that directory authorities could trigger on sighup + during some configuration state transitions. We now don't treat + it as a fatal error when the new descriptor we just generated in + init_keys() isn't accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha. + - Avoid segfault when starting up having run with an extremely old + version of Tor and parsing its state file. Fixes bug 6801; bugfix + on 0.2.2.23-alpha. + + o Major bugfixes (clients): + - If we are unable to find any exit that supports our predicted ports, + stop calling them predicted, so that we don't loop and build + hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6, + which introduced predicted ports. + - Check at each new consensus whether our entry guards were picked + long enough ago that we should rotate them. Previously, we only + did this check at startup, which could lead to us holding a guard + indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc. + - When fetching a bridge descriptor from a bridge authority, + always do so anonymously, whether we have been able to open + circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha. + This behavior makes it *safer* to use UpdateBridgesFromAuthority, + but we'll need to wait for bug 6010 before it's actually usable. + + o Major bugfixes (directory voting): + - Check more thoroughly to prevent a rogue authority from + double-voting on any consensus directory parameter. Previously, + authorities would crash in this case if the total number of + votes for any parameter exceeded the number of active voters, + but would let it pass otherwise. Partially fixes bug 5786; bugfix + on 0.2.2.2-alpha. + - When computing weight parameters, behave more robustly in the + presence of a bad bwweightscale value. Previously, the authorities + would crash if they agreed on a sufficiently broken weight_scale + value; now, they use a reasonable default and carry on. Fixes the + rest of bug 5786; bugfix on 0.2.2.17-alpha. + - If authorities are unable to get a v2 consensus document from other + directory authorities, they no longer fall back to fetching + them from regular directory caches. Fixes bug 5635; bugfix on + 0.2.2.26-beta, where routers stopped downloading v2 consensus + documents entirely. + + o Major bugfixes (relays): + - Fix a bug handling SENDME cells on nonexistent streams that could + result in bizarre window values. Report and patch contributed + pseudonymously. Fixes part of bug 6271. This bug was introduced + before the first Tor release, in svn commit r152. + - Don't update the AccountingSoftLimitHitAt state file entry whenever + tor gets started. This prevents a wrong average bandwidth + estimate, which would cause relays to always start a new accounting + interval at the earliest possible moment. Fixes bug 2003; bugfix + on 0.2.2.7-alpha. Reported by Bryon Eldridge, who also helped + immensely in tracking this bug down. + - Fix a possible crash bug when checking for deactivated circuits + in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; + bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. + - Set the SO_REUSEADDR socket option before we call bind() on outgoing + connections. This change should allow busy exit relays to stop + running out of available sockets as quickly. Fixes bug 4950; + bugfix on 0.2.2.26-beta. + + o Major bugfixes (blocking resistance): + - Bridges no longer include their address in NETINFO cells on outgoing + OR connections, to allow them to blend in better with clients. + Removes another avenue for enumerating bridges. Reported by + "troll_un". Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO + cells were introduced. + - Warn the user when HTTPProxy, but no other proxy type, is + configured. This can cause surprising behavior: it doesn't send + all of Tor's traffic over the HTTPProxy -- it sends unencrypted + directory traffic only. Resolves ticket 4663. + + o Major bugfixes (hidden services): + - Improve hidden service robustness: when an attempt to connect to + a hidden service ends, be willing to refetch its hidden service + descriptors from each of the HSDir relays responsible for them + immediately. Previously, we would not consider refetching the + service's descriptors from each HSDir for 15 minutes after the last + fetch, which was inconvenient if the hidden service was not running + during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335. + - Hidden services now ignore the timestamps on INTRODUCE2 cells. + They used to check that the timestamp was within 30 minutes + of their system clock, so they could cap the size of their + replay-detection cache, but that approach unnecessarily refused + service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when + the v3 intro-point protocol (the first one which sent a timestamp + field in the INTRODUCE2 cell) was introduced; fixes bug 3460. + - When one of a hidden service's introduction points appears to be + unreachable, stop trying it. Previously, we would keep trying + to build circuits to the introduction point until we lost the + descriptor, usually because the user gave up and restarted Tor. + Fixes part of bug 3825. + + o Changes to default torrc file: + - Stop listing "socksport 9050" in torrc.sample. We open a socks + port on 9050 by default anyway, so this should not change anything + in practice. + - Stop mentioning the deprecated *ListenAddress options in + torrc.sample. Fixes bug 5438. + - Document unit of bandwidth-related options in sample torrc. + Fixes bug 5621. + - Fix broken URLs in the sample torrc file, and tell readers about + the OutboundBindAddress, ExitPolicyRejectPrivate, and + PublishServerDescriptor options. Addresses bug 4652. + + o Minor features (directory authorities): + - Consider new, removed or changed IPv6 OR ports a non-cosmetic + change when the authority is deciding whether to accept a newly + uploaded descriptor. Implements ticket 6423. + - Directory authorities are now a little more lenient at accepting + older router descriptors, or newer router descriptors that don't + make big changes. This should help ameliorate past and future + issues where routers think they have uploaded valid descriptors, + but the authorities don't think so. Fix for ticket 2479. + - Authority operators can now vote for all relays in a given + set of countries to be BadDir/BadExit/Invalid/Rejected. + - Provide two consensus parameters (FastFlagMinThreshold and + FastFlagMaxThreshold) to control the range of allowable bandwidths + for the Fast directory flag. These allow authorities to run + experiments on appropriate requirements for being a "Fast" node. + The AuthDirFastGuarantee config value still applies. Implements + ticket 3946. + + o Minor features (bridges / bridge authorities): + - Make bridge SSL certificates a bit more stealthy by using random + serial numbers, in the same fashion as OpenSSL when generating + self-signed certificates. Implements ticket 4584. + - Tag a bridge's descriptor as "never to be sent unencrypted". + This shouldn't matter, since bridges don't open non-anonymous + connections to the bridge authority and don't allow unencrypted + directory connections from clients, but we might as well make + sure. Closes bug 5139. + - The Bridge Authority now writes statistics on how many bridge + descriptors it gave out in total, and how many unique descriptors + it gave out. It also lists how often the most and least commonly + fetched descriptors were given out, as well as the median and + 25th/75th percentile. Implements tickets 4200 and 4294. + + o Minor features (IPv6): + - Make the code that clients use to detect an address change be + IPv6-aware, so that it won't fill clients' logs with error + messages when trying to get the IPv4 address of an IPv6 + connection. Implements ticket 5537. + - Relays now understand an IPv6 address when they get one from a + directory server. Resolves ticket 4875. + + o Minor features (hidden services): + - Expire old or over-used hidden service introduction points. + Required by fix for bug 3460. + - Reduce the lifetime of elements of hidden services' Diffie-Hellman + public key replay-detection cache from 60 minutes to 5 minutes. This + replay-detection cache is now used only to detect multiple + INTRODUCE2 cells specifying the same rendezvous point, so we can + avoid launching multiple simultaneous attempts to connect to it. + - When a hidden service's introduction point times out, consider + trying it again during the next attempt to connect to the + HS. Previously, we would not try it again unless a newly fetched + descriptor contained it. Required by fixes for bugs 1297 and 3825. + + o Minor features (relays): + - Relays now include a reason for regenerating their descriptors + in an HTTP header when uploading to the authorities. This will + make it easier to debug descriptor-upload issues in the future. + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + - Replace files in stats/ rather than appending to them. Now that we + include statistics in extra-info descriptors, it makes no sense to + keep old statistics forever. Implements ticket 2930. + - Relays that set "ConnDirectionStatistics 1" write statistics on the + bidirectional use of connections to disk every 24 hours. + - Add a GeoIP file digest to the extra-info descriptor. Implements + ticket 1883. + + o Minor features (new config options): + - New config option "DynamicDHGroups" (disabled by default) provides + each bridge with a unique prime DH modulus to be used during + SSL handshakes. This option attempts to help against censors + who might use the Apache DH modulus as a static identifier for + bridges. Addresses ticket 4548. + - New config option "DisableDebuggerAttachment" (on by default) + to prevent basic debugging attachment attempts by other processes. + Supports Mac OS X and Gnu/Linux. Resolves ticket 3313. + - Ordinarily, Tor does not count traffic from private addresses (like + 127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting. + There is now a new option, CountPrivateBandwidth, to disable this + behavior. Patch from Daniel Cagara. + + o Minor features (different behavior for old config options): + - Allow MapAddress directives to specify matches against super-domains, + as in "MapAddress *.torproject.org *.torproject.org.torserver.exit". + Implements issue 933. + - Don't disable the DirPort when we cannot exceed our AccountingMax + limit during this interval because the effective bandwidthrate is + low enough. This is useful in a situation where AccountMax is only + used as an additional safeguard or to provide statistics. + - Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri; + implements ticket 3439. + - When configuring a large set of nodes in EntryNodes, and there are + enough of them listed as Guard so that we don't need to consider + the non-guard entries, prefer the ones listed with the Guard flag. + - If you set the NumCPUs option to 0, Tor will now try to detect how + many CPUs you have. This is the new default behavior. + - The NodeFamily option -- which let you declare that you want to + consider nodes to be part of a family whether they list themselves + that way or not -- now allows IP address ranges and country codes. + + o Minor features (new command-line config behavior): + - Slightly change behavior of "list" options (that is, config + options that can appear more than once) when they appear both in + torrc and on the command line. Previously, the command-line options + would be appended to the ones from torrc. Now, the command-line + options override the torrc options entirely. This new behavior + allows the user to override list options (like exit policies and + ports to listen on) from the command line, rather than simply + appending to the list. + - You can get the old (appending) command-line behavior for "list" + options by prefixing the option name with a "+". + - You can remove all the values for a "list" option from the command + line without adding any new ones by prefixing the option name + with a "/". + + o Minor features (controller, new events): + - Extend the control protocol to report flags that control a circuit's + path selection in CIRC events and in replies to 'GETINFO + circuit-status'. Implements part of ticket 2411. + - Extend the control protocol to report the hidden service address + and current state of a hidden-service-related circuit in CIRC + events and in replies to 'GETINFO circuit-status'. Implements part + of ticket 2411. + - Include the creation time of a circuit in CIRC and CIRC2 + control-port events and the list produced by the 'GETINFO + circuit-status' control-port command. + - Add a new CONF_CHANGED event so that controllers can be notified + of any configuration changes made by other controllers, or by the + user. Implements ticket 1692. + - Add a new SIGNAL event to the controller interface so that + controllers can be notified when Tor handles a signal. Resolves + issue 1955. Patch by John Brooks. + + o Minor features (controller, new getinfo options): + - Expose our view of whether we have gone dormant to the controller, + via a new "GETINFO dormant" value. Torbutton and other controllers + can use this to avoid doing periodic requests through Tor while + it's dormant (bug 4718). Resolves ticket 5954. + - Add a new GETINFO option to get total bytes read and written. Patch + from pipe, revised by atagar. Resolves ticket 2345. + - Implement new GETINFO controller fields to provide information about + the Tor process's pid, euid, username, and resource limits. + + o Minor features (controller, other): + - Allow controllers to request an event notification whenever a + circuit is cannibalized or its purpose is changed. Implements + part of ticket 3457. + - Use absolute path names when reporting the torrc filename in the + control protocol, so a controller can more easily find the torrc + file. Resolves bug 1101. + - When reporting the path to the cookie file to the controller, + give an absolute path. Resolves ticket 4881. + + o Minor features (log messages): + - Add more information to a log statement that might help track down + bug 4091. If you're seeing "Bug: tor_addr_is_internal() called with a + non-IP address" messages (or any Bug messages, for that matter!), + please let us know about it. + - If EntryNodes are given, but UseEntryGuards is set to 0, warn that + EntryNodes will have no effect. Resolves issue 2571. + - Try to make the introductory warning message that Tor prints on + startup more useful for actually finding help and information. + Resolves ticket 2474. + - When the system call to create a listener socket fails, log the + error message explaining why. This may help diagnose bug 4027. + + o Minor features (other): + - When we fail to initialize Libevent, retry with IOCP disabled so we + don't need to turn on multi-threading support in Libevent, which in + turn requires a working socketpair(). This is a workaround for bug + 4457, which affects Libevent versions from 2.0.1-alpha through + 2.0.15-stable. + - When starting as root and then changing our UID via the User + control option, and we have a ControlSocket configured, make sure + that the ControlSocket is owned by the same account that Tor will + run under. Implements ticket 3421; fix by Jérémy Bobbio. + - Accept attempts to include a password authenticator in the + handshake, as supported by SOCKS5. This handles SOCKS clients that + don't know how to omit a password when authenticating. Resolves + bug 1666. + - Check for and recover from inconsistency in the microdescriptor + cache. This will make it harder for us to accidentally free a + microdescriptor without removing it from the appropriate data + structures. Fixes issue 3135; issue noted by "wanoskarnet". + - Shorten links in the tor-exit-notice file. Patch by Christian Kujau. + + o Minor bugfixes (code security): + - Prevent a null-pointer dereference when receiving a data cell + for a nonexistent stream when the circuit in question has an + empty deliver window. We don't believe this is triggerable, + since we don't currently allow deliver windows to become empty, + but the logic is tricky enough that it's better to make the code + robust. Fixes bug 5541; bugfix on 0.0.2pre14. + - Fix a (harmless) integer overflow in cell statistics reported by + some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha. + - Fix our implementation of crypto_random_hostname() so it can't + overflow on ridiculously large inputs. (No Tor version has ever + provided this kind of bad inputs, but let's be correct in depth.) + Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer. + - Add a (probably redundant) memory clear between iterations of + the router status voting loop, to prevent future coding errors + where data might leak between iterations of the loop. Resolves + ticket 6514. + + o Minor bugfixes (wrapper functions): + - Abort if tor_vasprintf() fails in connection_printf_to_buf() (a + utility function used in the control-port code). This shouldn't + ever happen unless Tor is completely out of memory, but if it did + happen and Tor somehow recovered from it, Tor could have sent a log + message to a control port in the middle of a reply to a controller + command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha. + - Fix some (not actually triggerable) buffer size checks in usage of + tor_inet_ntop(). Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch + by Anders Sundman. + - Fix parsing of some corner-cases with tor_inet_pton(). Fixes + bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman. + - Enforce correct return behavior of tor_vsscanf() when the '%%' + pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13. + - Make our replacement implementation of strtok_r() compatible with + the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091; + bugfix on 0.2.2.1-alpha. + - Find more places in the code that should have been testing for + invalid sockets using the SOCKET_OK macro. Required for a fix + for bug 4533. Bugfix on 0.2.2.28-beta. + + o Minor bugfixes (code correctness): + - Check return value of fputs() when writing authority certificate + file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha. + - When building Tor on Windows with -DUNICODE (not default), ensure + that error messages, filenames, and DNS server names are always + NUL-terminated when we convert them to a single-byte encoding. + Fixes bug 5909; bugfix on 0.2.2.16-alpha. + - Fix a memory leak when trying to launch a DNS request when the + nameservers are unconfigurable. Fixes bug 5916; bugfix on Tor + 0.1.2.1-alpha. + - Correct file sizes when reading binary files on Cygwin, to avoid + a bug where Tor would fail to read its state file. Fixes bug 6844; + bugfix on 0.1.2.7-alpha. + - Make sure to set *socket_error in all error cases in + connection_connect(), so it can't produce a warning about + errno being zero from errno_to_orconn_end_reason(). Bugfix on + 0.2.1.1-alpha; resolves ticket 6028. + - Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes + bug 4532; found by "troll_un". + + o Minor bugfixes (clients): + - Allow one-hop directory-fetching circuits the full "circuit build + timeout" period, rather than just half of it, before failing them + and marking the relay down. This fix should help reduce cases where + clients declare relays (or worse, bridges) unreachable because + the TLS handshake takes a few seconds to complete. Fixes bug 6743; + bugfix on 0.2.2.2-alpha, where we changed the timeout from a static + 30 seconds. + - Ensure we don't cannibalize circuits that are longer than three hops + already, so we don't end up making circuits with 5 or more + hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on + 0.1.0.1-rc which introduced cannibalization. + + o Minor bugfixes (relays): + - Don't publish a new relay descriptor when we reload our onion key, + unless the onion key has actually changed. Fixes bug 3263 and + resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha. + - When relays refuse a "create" cell because their queue of pending + create cells is too big (typically because their cpu can't keep up + with the arrival rate), send back reason "resource limit" rather + than reason "internal", so network measurement scripts can get a + more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037. + - Exit nodes don't need to fetch certificates for authorities that + they don't recognize; only directory authorities, bridges, + and caches need to do that. Fixes part of bug 2297; bugfix on + 0.2.2.11-alpha. + + o Minor bugfixes (directory authority / mirrors): + - Avoid O(n^2) performance characteristics when parsing a large + extrainfo cache. Fixes bug 5828; bugfix on 0.2.0.1-alpha. + - Authorities no longer include any router in their microdescriptor + consensuses for which they couldn't generate or agree on a + microdescriptor. Fixes the second piece of bug 6404; fix on + 0.2.2.6-alpha. + - When checking for requested signatures on the latest consensus + before serving it to a client, make sure to check the right + consensus flavor. Bugfix on 0.2.2.6-alpha. + - Fix an edge case where TestingTorNetwork is set but the authorities + and relays all have an uptime of zero, so the private Tor network + could briefly lack support for hidden services. Fixes bug 3886; + bugfix on 0.2.2.18-alpha. + - Directory caches no longer refuse to clean out descriptors because + of missing v2 networkstatus documents, unless they're configured + to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on + 0.2.2.26-beta. Patch by Daniel Bryg. + - Don't serve or accept v2 hidden service descriptors over a relay's + DirPort. It's never correct to do so, and disabling it might + make it more annoying to exploit any bugs that turn up in the + descriptor-parsing code. Fixes bug 7149. + + o Minor bugfixes (hidden services, client-side): + - Assert that hidden-service-related operations are not performed + using single-hop circuits. Previously, Tor would assert that + client-side streams are not attached to single-hop circuits, + but not that other sensitive operations on the client and service + side are not performed using single-hop circuits. Fixes bug 3332; + bugfix on 0.0.6. + - Avoid undefined behaviour when parsing the list of supported + rendezvous/introduction protocols in a hidden service descriptor. + Previously, Tor would have confused (as-yet-unused) protocol version + numbers greater than 32 with lower ones on many platforms. Fixes + bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis. + - Don't close hidden service client circuits which have almost + finished connecting to their destination when they reach + the normal circuit-build timeout. Previously, we would close + introduction circuits which are waiting for an acknowledgement + from the introduction point, and rendezvous circuits which have + been specified in an INTRODUCE1 cell sent to a hidden service, + after the normal CBT. Now, we mark them as 'timed out', and launch + another rendezvous attempt in parallel. This behavior change can + be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout + option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha. + + o Minor bugfixes (hidden services, service-side): + - Don't close hidden-service-side rendezvous circuits when they + reach the normal circuit-build timeout. This behaviour change can + be disabled using the new + CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the + remaining part of bug 1297; bugfix on 0.2.2.2-alpha. + - Don't launch more than 10 service-side introduction-point circuits + for a hidden service in five minutes. Previously, we would consider + launching more introduction-point circuits if at least one second + had passed without any introduction-point circuits failing. Fixes + bug 4607; bugfix on 0.0.7pre1. + + o Minor bugfixes (config option behavior): + - If the user tries to set MyFamily on a bridge, refuse to + do so, and warn about the security implications. Fixes bug 4657; + bugfix on 0.2.0.3-alpha. + - The "--quiet" and "--hush" options now apply not only to Tor's + behavior before logs are configured, but also to Tor's behavior in + the absense of configured logs. Fixes bug 3550; bugfix on + 0.2.0.10-alpha. + - Change the AllowDotExit rules so they should actually work. + We now enforce AllowDotExit only immediately after receiving an + address via SOCKS or DNSPort: other sources are free to provide + .exit addresses after the resolution occurs. Fixes bug 3940; + bugfix on 0.2.2.1-alpha. + - Make "LearnCircuitBuildTimeout 0" work more reliably. Specifically, + don't depend on the consensus parameters or compute adaptive + timeouts when it is disabled. Fixes bug 5049; bugfix on + 0.2.2.14-alpha. + - After we pick a directory mirror, we would refuse to use it if + it's in our ExcludeExitNodes list, resulting in mysterious failures + to bootstrap for people who just wanted to avoid exiting from + certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha. + - When told to add a bridge with the same digest as a preexisting + bridge but a different addr:port, change the addr:port as + requested. Previously we would not notice the change. Fixes half + of bug 5603; fix on 0.2.2.26-beta. + + o Minor bugfixes (controller): + - Allow manual 'authenticate' commands to the controller interface + from netcat (nc) as well as telnet. We were rejecting them because + they didn't come with the expected whitespace at the end of the + command. Bugfix on 0.1.1.1-alpha; fixes bug 2893. + - Report a real bootstrap problem to the controller on router + identity mismatch. Previously we just said "foo", which probably + made a lot of sense at the time. Fixes bug 4169; bugfix on + 0.2.1.1-alpha. + - When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP + option is set to 0 (which Vidalia version 0.2.16 now does when + a SAVECONF attempt fails), perform other actions that SIGHUP + usually causes (like reopening the logs). Fixes bug 5095; bugfix + on 0.2.1.9-alpha. + - Correctly handle checking the permissions on the parent + directory of a control socket in the root directory. Bug found + by Esteban Manchado Velázquez. Fixes bug 5089; bugfix on Tor + 0.2.2.26-beta. + - End AUTHCHALLENGE error messages (in the control protocol) with + a CRLF. Fixes bug 5760; bugfix on 0.2.2.36. + + o Minor bugfixes (network reading/writing): + - Disable writing on marked-for-close connections when they are + blocked on bandwidth, to prevent busy-looping in Libevent. Fixes + bug 5263; bugfix on 0.0.2pre13, where we first added a special + case for flushing marked connections. + - Make sure that there are no unhandled pending TLS errors before + reading from a TLS stream. We had checks in 0.1.0.3-rc, but + lost them in 0.1.0.5-rc when we refactored read_to_buf_tls(). + Bugfix on 0.1.0.5-rc; fixes bug 4528. + - Detect SSL handshake even when the initial attempt to write the + server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha. + - If the client fails to set a reasonable set of ciphersuites + during its v2 handshake renegotiation, allow the renegotiation to + continue nevertheless (i.e. send all the required certificates). + Fixes bug 4591; bugfix on 0.2.0.20-rc. + + o Minor bugfixes (other): + - Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as + resource exhaustion, so that clients can adjust their load to + try other exits. Fixes bug 4710; bugfix on 0.1.0.1-rc, which + started using END_STREAM_REASON_RESOURCELIMIT. + - Don't check for whether the address we're using for outbound + connections has changed until after the outbound connection has + completed. On Windows, getsockname() doesn't succeed until the + connection is finished. Fixes bug 5374; bugfix on 0.1.1.14-alpha. + - Don't hold a Windows file handle open for every file mapping; + the file mapping handle is sufficient. Fixes bug 5951; bugfix on + 0.1.2.1-alpha. + - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218; + bugfix on 0.2.1.10-alpha. + - If we fail to write a microdescriptor to the disk cache, do not + continue replacing the old microdescriptor file. Fixes bug 2954; + bugfix on 0.2.2.6-alpha. + + o Minor bugfixes (log messages, path selection): + - Downgrade "set buildtimeout to low value" messages to "info" + severity; they were never an actual problem, there was never + anything reasonable to do about them, and they tended to spam logs + from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha. + - Rate-limit the "Weighted bandwidth is 0.000000" message, and add + more information to it, so that we can track it down in case it + returns again. Mitigates bug 5235. + - Check CircuitBuildTimeout and LearnCircuitBuildTimeout in + options_validate(); warn if LearnCircuitBuildTimeout is disabled and + CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452. + - Issue a log message if a guard completes less than 40% of your + circuits. Threshold is configurable by torrc option + PathBiasNoticeRate and consensus parameter pb_noticepct. There is + additional, off-by-default code to disable guards which fail too + many circuits. Addresses ticket 5458. + + o Minor bugfixes (log messages, client): + - Downgrade "Got a certificate, but we already have it" log messages + from warning to info, except when we're a dirauth. Fixes bug 5238; + bugfix on 0.2.1.7-alpha. + - Fix the log message describing how we work around discovering + that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug + 4837; bugfix on 0.2.2.9-alpha. + - When logging about a disallowed .exit name, do not also call it + an "invalid onion address". Fixes bug 3325; bugfix on 0.2.2.9-alpha. + - Fix a log message suggesting that people contact a non-existent + email address. Fixes bug 3448. + - Rephrase the log message emitted if the TestSocks check is + successful. Patch from Fabian Keil; fixes bug 4094. + - Log (at debug level) whenever a circuit's purpose is changed. + - Log SSL state transitions at log level DEBUG, log domain + HANDSHAKE. This can be useful for debugging censorship events. + Implements ticket 3264. + - We now log which torrc file we're using on startup. Implements + ticket 2444. + - Rate-limit log messages when asked to connect anonymously to + a private address. When these hit, they tended to hit fast and + often. Also, don't bother trying to connect to addresses that we + are sure will resolve to 127.0.0.1: getting 127.0.0.1 in a directory + reply makes us think we have been lied to, even when the address the + client tried to connect to was "localhost." Resolves ticket 2822. + + o Minor bugfixes (log messages, non-client): + - Downgrade "eventdns rejected address" message to LOG_PROTOCOL_WARN. + Fixes bug 5932; bugfix on 0.2.2.7-alpha. + - Don't log that we have "decided to publish new relay descriptor" + unless we are actually publishing a descriptor. Fixes bug 3942; + bugfix on 0.2.2.28-beta. + - Log which authority we're missing votes from when we go to fetch + them from the other auths. + - Replace "Sending publish request" log messages with "Launching + upload", so that they no longer confusingly imply that we're + sending something to a directory we might not even be connected + to yet. Fixes bug 3311; bugfix on 0.2.0.10-alpha. + - Warn when Tor is configured to use accounting in a way that can + link a hidden service to some other hidden service or public + address. Resolves ticket 6490. + - Fix a minor formatting issue in one of tor-gencert's error messages. + Fixes bug 4574. + + o Testing: + - Update to the latest version of the tinytest unit testing framework. + This includes a couple of bugfixes that can be relevant for + running forked unit tests on Windows, and removes all reserved + identifiers. + - Avoid a false positive in the util/threads unit test by increasing + the maximum timeout time. Fixes bug 6227; bugfix on 0.2.0.4-alpha. + - Make it possible to set the TestingTorNetwork configuration + option using AlternateDirAuthority and AlternateBridgeAuthority + as an alternative to setting DirServer. Addresses ticket 6377. + - Add a unit test for the environment_variable_names_equal() function. + - A wide variety of new unit tests by Esteban Manchado Velázquez. + - Numerous new unit tests for functions in util.c and address.c by + Anders Sundman. + - The long-disabled benchmark tests are now split into their own + ./src/test/bench binary. + - The benchmark tests can now use more accurate timers than + gettimeofday() when such timers are available. + - Use tt_assert(), not tor_assert(), for checking for test failures. + This makes the unit tests more able to go on in the event that + one of them fails. + + o Build improvements: + - Use the dead_strip option when building Tor on OS X. This reduces + binary size by almost 19% when linking openssl and libevent + statically, which we do for Tor Browser Bundle. + - Provide a better error message about possible OSX Asciidoc failure + reasons. Fixes bug 6436. + - Detect attempts to build Tor on (as yet hypothetical) versions + of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial + fix for bug 4533. Bugfix on 0.2.2.28-beta. + - On Windows, we now define the _WIN32_WINNT macros only if they + are not already defined. This lets the person building Tor decide, + if they want, to require a later version of Windows. + - Our autogen.sh script now uses autoreconf to launch autoconf, + automake, and so on. This is more robust against some of the failure + modes associated with running the autotools pieces on their own. + - Running "make version" now displays the version of Tor that + we're about to build. Idea from katmagic; resolves issue 4400. + - Make 'tor --digests' list hashes of all Tor source files. Bugfix + on 0.2.2.4-alpha; fixes bug 3427. + - New --enable-static-tor configure option for building Tor as + statically as possible. Idea, general hackery and thoughts from + Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket + 2702. + - Limited, experimental support for building with nmake and MSVC. + + o Build requirements: + - Building Tor with bufferevent support now requires Libevent + 2.0.13-stable or later. Previous versions of Libevent had bugs in + SSL-related bufferevents and related issues that would make Tor + work badly with bufferevents. Requiring 2.0.13-stable also allows + Tor with bufferevents to take advantage of Libevent APIs + introduced after 2.0.8-rc. + - Our build system requires automake 1.6 or later to create the + Makefile.in files. Previously, you could have used 1.4. + This only affects developers and people building Tor from git; + people who build Tor from the source distribution without changing + the Makefile.am files should be fine. + - Detect when we try to build on a platform that doesn't define + AF_UNSPEC to 0. We don't work there, so refuse to compile. + + o Build fixes (compile/link): + - Format more doubles with %f, not %lf. Patch from grarpamp to make + Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on + Tor 0.2.0.8-alpha. + - When building with --enable-static-tor on OpenBSD, do not + erroneously attempt to link -lrt. Fixes bug 5103. + - Set _WIN32_WINNT to 0x0501 consistently throughout the code, so + that IPv6 stuff will compile on MSVC, and compilation issues + will be easier to track down. Fixes bug 5861. + - Fix build and 64-bit compile warnings from --enable-openbsd-malloc. + Fixes bug 6379. Bugfix on 0.2.0.20-rc. + - Make Tor build correctly again with -DUNICODE -D_UNICODE defined. + Fixes bug 6097; bugfix on 0.2.2.16-alpha. + + o Build fixes (other): + - Use the _WIN32 macro throughout our code to detect Windows. + (Previously we had used the obsolete 'WIN32' and the idiosyncratic + 'MS_WINDOWS'.) + - Properly handle the case where the build-tree is not the same + as the source tree when generating src/common/common_sha1.i, + src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953; + bugfix on 0.2.0.1-alpha. + - During configure, search for library containing cos function as + libm lives in libcore on some platforms (BeOS/Haiku). Linking + against libm was hard-coded before. Fixes the first part of bug + 4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes + Pedersen. + - Prevent a false positive from the check-spaces script, by disabling + the "whitespace between function name and (" check for functions + named 'op()'. + + o Packaging (RPM) changes: + - Update our default RPM spec files to work with mock and rpmbuild + on RHEL/Fedora. They have an updated set of dependencies and + conflicts, a fix for an ancient typo when creating the "_tor" + user, and better instructions. Thanks to Ondrej Mikle for the + patch series. Fixes bug 6043. + - On OpenSUSE, create the /var/run/tor directory on startup if it + is not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Code refactoring (safety): + - Do not use SMARTLIST_FOREACH for any loop whose body exceeds + 10 lines. Also, don't nest them. Doing so in the past has + led to hard-to-debug code. The new style is to use the + SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400. + - Use macros to indicate OpenSSL versions, so we don't need to worry + about accidental hexadecimal bit shifts. + - Use tor_sscanf() in place of scanf() in more places through the + code. This makes us a little more locale-independent, and + should help shut up code-analysis tools that can't tell + a safe sscanf string from a dangerous one. + - Convert more instances of tor_snprintf+tor_strdup into tor_asprintf. + - Use the smartlist_add_asprintf() alias more consistently. + + o Code refactoring (consolidate): + - A major revision to our internal node-selecting and listing logic. + Tor already had at least two major ways to look at the question of + "which Tor servers do we know about": a list of router descriptors, + and a list of entries in the current consensus. With + microdescriptors, we're adding a third. Having so many systems + without an abstraction layer over them was hurting the codebase. + Now, we have a new "node_t" abstraction that presents a consistent + interface to a client's view of a Tor node, and holds (nearly) all + of the mutable state formerly in routerinfo_t and routerstatus_t. + - Move tor_gettimeofday_cached() into compat_libevent.c, and use + Libevent's notion of cached time when possible. + - Remove duplicate code for invoking getrlimit() from control.c. + - Use OpenSSL's built-in SSL_state_string_long() instead of our + own homebrewed ssl_state_to_string() replacement. Patch from + Emile Snyder. Fixes bug 4653. + - Change the symmetric cipher interface so that creating and + initializing a stream cipher are no longer separate functions. + + o Code refactoring (separate): + - Make a new "entry connection" struct as an internal subtype of "edge + connection", to simplify the code and make exit connections smaller. + - Split connection_about_to_close() into separate functions for each + connection type. + - Rewrite the listener-selection logic so that parsing which ports + we want to listen on is now separate from binding to the ports + we want. + + o Code refactoring (name changes): + - Rename a handful of old identifiers, mostly related to crypto + structures and crypto functions. By convention, our "create an + object" functions are called "type_new()", our "free an object" + functions are called "type_free()", and our types indicate that + they are types only with a final "_t". But a handful of older + types and functions broke these rules, with function names like + "type_create" or "subsystem_op_type", or with type names like + type_env_t. + - Rename Tor functions that turn strings into addresses, so that + "parse" indicates that no hostname resolution occurs, and + "lookup" indicates that hostname resolution may occur. This + should help prevent mistakes in the future. Fixes bug 3512. + - Use the name "CERTS" consistently to refer to the new cell type; + we were calling it CERT in some places and CERTS in others. + - Use a TOR_INVALID_SOCKET macro when initializing a socket to an + invalid value, rather than just -1. + - Rename the bench_{aes,dmap} functions to test_*, so that tinytest + can pick them up when the tests aren't disabled. Bugfix on + 0.2.2.4-alpha which introduced tinytest. + + o Code refactoring (other): + - Defensively refactor rend_mid_rendezvous() so that protocol + violations and length checks happen in the beginning. Fixes + bug 5645. + - Remove the pure attribute from all functions that used it + previously. In many cases we assigned it incorrectly, because the + functions might assert or call impure functions, and we don't have + evidence that keeping the pure attribute is worthwhile. Implements + changes suggested in ticket 4421. + - Move the replay-detection cache for the RSA-encrypted parts of + INTRODUCE2 cells to the introduction point data structures. + Previously, we would use one replay-detection cache per hidden + service. Required by fix for bug 3460. + - The helper programs tor-gencert, tor-resolve, and tor-checkkey + no longer link against Libevent: they never used it, but + our library structure used to force them to link it. + + o Removed features and files: + - Remove all internal support for unpadded RSA. We never used it, and + it would be a bad idea to start. + - Remove some workaround code for OpenSSL 0.9.6 (which is no longer + supported). + - Remove some redundant #include directives throughout the code. + Patch from Andrea Gelmini. + - Remove some old code to remember statistics about which descriptors + we've served as a directory mirror. The feature wasn't used and + is outdated now that microdescriptors are around. + - Remove some old code to work around even older versions of Tor that + used forked processes to handle DNS requests. Such versions of Tor + are no longer in use as relays. + - The "torify" script no longer supports the "tsocks" socksifier + tool, since tsocks doesn't support DNS and UDP right for Tor. + Everyone should be using torsocks instead. Fixes bugs 3530 and + 5180. Based on a patch by "ugh". + - Remove the torrc.bridge file: we don't use it for anything, and + it had become badly desynchronized from torrc.sample. Resolves + bug 5622. + + o Documentation: + - Begin a doc/state-contents.txt file to explain the contents of + the Tor state file. Fixes bug 2987. + - Clarify the documentation for the Alternate*Authority options. + Fixes bug 6387. + - Document the --defaults-torrc option, and the new semantics for + overriding, extending, and clearing lists of options. Closes + bug 4748. + - Add missing man page documentation for consensus and microdesc + files. Resolves ticket 6732. + - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500. + + o Documentation fixes: + - Improve the manual's documentation for the NT Service command-line + options. Addresses ticket 3964. + - Clarify SessionGroup documentation slightly; resolves ticket 5437. + - Document the changes to the ORPort and DirPort options, and the + fact that {OR/Dir}ListenAddress is now unnecessary (and + therefore deprecated). Resolves ticket 5597. + - Correct a broken faq link in the INSTALL file. Fixes bug 2307. + - Clarify that hidden services are TCP only. Fixes bug 6024. + + Changes in version 0.2.2.39 - 2012-09-11 Tor 0.2.2.39 fixes two more opportunities for remotely triggerable assertions.